Yong Gang Li,Chao Yuan Cui,Yun Wu,Bing Yu Sun

DOI: https://doi.org/10.12783/dtcse/iceiti2016/6143

2016-01-01

Abstract:Virtualization is increasing rapidly recent years. Virtual machines have become not only attack objects but also criminal tools for computer crimes. Memory forensics technology can collect the evidence of virtual machine crimes effectively. Traditional memory forensics tools are deployed into the host where attackers always try to hide or delete the data generated during attack process. As a result, they can be bypassed or cheated in virtual machines. Besides, to get the complete information traditional tools always expand the forensics scale leading to massive redundant information. For the sake of these problems, we propose a new method of virtual machine memory forensics based on event trigger mechanism named VMMF. The experiment results show that the new method can get the code section, data section, kernel stack content, dynamic-link library file, and execution path of the suspicious process in Linux. It just focuses on the suspicious process content reducing redundant information.

JIN Wei,LI Ming-lu,WENG Chu-liang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.15.036

2011-01-01

Abstract:This paper aims to explore the security of the Virtual Machine Monitor(VMM),combined with open source virtualization software Xen to analyze the potential threats and vulnerabilities,such as tampering with hypercalls,malicious direct memory access.It designs and implements a way to undermine the stability of virtual machine by modifying VCPU state and meanwhile give countermeasures,such as verifying critical data structures to discover whether it is invaded,or forbidding the loading of module to eliminate all possible security risks posed by the module.

Xinghui Zhu,Guang Lu,Fei Yu,Shuqiang Yang,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.108

2006-01-01

Abstract:In today's operating system, memory management policies based on the data-copying and hidden mechanisms blocks the system performance which is far from expectation. This paper introduces an innovative memory management system powered by vertical architecture PVM. The paper first describes the model and architecture of PVM, followed by an analysis of lazy management of virtual address space and the management of two-layer-cached physical memory.

Xian Chen,Wenzhi Chen,Peng Long,Zhongyong Lu,Zonghui Wang

DOI: https://doi.org/10.1109/cbd.2013.32

2013-01-01

Abstract:For the ability to explore the memory's fullest potential, memory de-duplication has been widely experimented with in current main stream virtualization platforms. A lot of work has been done to improve the efficiency of memory de-duplication, while too little attention was paid to the introduced security issues which have been proved by prior work. To deal with this security risk and efficiently manage the memory we start our work in this paper. We first conduct extensive experiments on different OS platforms to study the realistic situation of page sharing. By analyzing the results we find: 1) Page sharing is contributed mostly by self-sharing (nearly 90%), and the self-sharing rate varies significantly between Linux and Windows OS platforms. Compared with self-sharing the inter-VM sharing rate is extremely low, under 1% in most cases. 2) Page size has a larger influence on Linux platform than Windows platform, so sub-page de-duplication proposed in prior work may achieve better performance on Linux platform. On the basis of above findings we propose a group-based secure page sharing model (or GSKSM), in which we consider both VM processes and normal processes. We have successfully implemented it in Linux kernel 3.6.6, and the experiment results show it works well with negligible overhead. Finally based on GSKSM we further present an efficient memory management approach (or SEMMA), which combines GSKSM and balloon technique to efficiently manage the memory, and the preliminary experiment result is satisfactory.

Xiaolin Wang,Binbin Zhang,Haogang Chen,Xinxin Jin,Yingwei Luo,Xiaoming Li,Zhenlin Wang

DOI: https://doi.org/10.1109/CIT.2010.392

2010-01-01

Abstract:Intel and AMD have provided hardware support, VT and SVM, to support classical full virtualization. The hardware extensions help to implement a VMM without changing the guest OS or resorting to software binary translation. Ironically, a VMM using VT or SVM has not yet met performance expectation. One major reason is that there still exist too many VM exits that incur significant overhead. This paper proposed a novel method, Competition in Bucket Method (CBM), to track all VM exits efficiently. The analysis and experiments show that, CBM can find out hot VM exits efficiently.

Yingxin Cheng,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1016/j.ins.2016.07.019

IF: 8.1

2016-01-01

Information Sciences

Abstract:The results of memory forensics can not only be used as evidence in court but are also beneficial for analyzing vulnerability and improving security. Thus, memory forensics has been widely used in many fields, including cloud security. Traditional memory forensics, usually an after-the-fact method, is time-consuming and often loses important transient information. Thus, live methods, which investigate memory directly, are presented. However, most of them are kernel based and easy to detect or confuse. Although virtualization technology can overcome these shortages, it must be preinstalled and has high cost. To solve these problems, we propose a lightweight live memory forensic framework based on hardware virtualization. It can build a virtualization environment on-the-fly. The operating system will be migrated to the virtual machine without termination or modifications. Then, the forensic methods can acquire and analyze evidence at the hypervisor level. Two novel forensic methods are proposed to verify the effectiveness of the framework. They focus on acquiring accurate data and system behavior, respectively. The main ideas are guaranteeing data accuracy in multi-view extraction and analyzing memory behavior in a para-synchronous style. Experiments have proved that these methods are able to obtain reliable and integrated evidence at an acceptable cost.

WANG Xiaolin,ZHANG Binbin,JIN Xinxin,WANG Zhenlin,LUO Yingwei,LI Xiaoming

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.06.002

2011-01-01

Abstract:It’s essential to learn about sensitive instructions that cause virtual machine (VM) to exit to the virtual machine monitor (VMM) to find new ways to optimize the performance of VM.This paper proposes a novel method,competition in bucket method (CBM),to track all VM exits efficiently,by mapping sensitive instructions to buckets according to instruction addresses,and find out hot instructions in each bucket.

Yuhang Gao,Tianjie Cao

2010-01-01

Abstract:Physical memory is a useful information source in a forensic examination, but the research on memory forensics is still in the early stage. Once the processes are located, computer forensic personnel can acquire the opened files, the network connections via further processing. This paper proposed methods of searching for process descriptors in Linux dump file. Our experiments shows that our methods are able to locate hidden, terminated and even processes before rebooted under some circumstances. An analysis of performance between different methods is made and results show the brute force method find the most while method based on slub allocator is highly efficient. Besides, our experiments shows a process survives from minutes to hours after it is terminated in Linux 2.6.23 and slub allocation obviously has an impact on memory forensics. These methods proposed to searching for processes not only can apply to Linux memory forensics in locating hidden, exiting processes, but also can be of interest to the malware analyzing. Keywords-memory dump file; Linux memory analysis; digital evidences; file extraction

Youhui Zhang,Gelin Su,Liang Hong,Weimin Zheng

DOI: https://doi.org/10.1109/PACIIA.2008.251

2008-01-01

Abstract:Today Virtual Machine (VM) technologies play anactive role in some IT field. But few researches have beendone on the I/O performance of the OS running in VM. This paper deals with measurements and analysis of reading large files on Windows systems in VM. Compared with the system on hardware directly, OS in VM owns a more complicate storage hierarchy, which contains the OS cache, VM cache and disk buffer. For this case we implement an evaluation environment where many read tests with different configurations have been completed. The performance study shows an I/O throughput drop by a factor 2 depending on the request size and up to a factor 2 depending on the specified access mode. We evaluate and identify the key issues affecting the performance and a corresponding access model is constructed based on these results. Moreover, a unified VM cache is presented, which can support more than one VM synchronously in ahost. Tests show that it can improve the read performance because it avoids storing multi instances of shared data to increase the cache efficiency. Our work can be used to optimize the I/O strategy for a given application or design the VM with higher efficiency.

YANG Feng,JIANG Hui,ZHUGE Jian-wei,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.08.040

2012-01-01

Abstract:Due to the advantages of resources utilization,management and isolation,Virtualization Technology has been widely used in the areas of virtual server,malware analysis and cloud computing platform.The malicious code writers and security researchers start a new game in Virtualization Technology,and how to detect the presence of virtual environments becomes a hot research topic.This paper,introduces the significance of Virtual Machine Environment(VME) Detection Methods,uses examples to describe the principles and methods of local and remote VME detection,makes a summary of VME Detection Methods,indicates the direction of Virtualization transparency,analyses and discusses the future trend.

Jie Lin,Chuanyi Liu,Xinyi Zhang,Rongfei Zhuang,Binxing Fang

DOI: https://doi.org/10.1109/dsc.2019.00086

2019-01-01

Abstract:Virtual machine protection is an advanced anti-reverse packing technology. This paper presents a framework for automatic analysis of binary packed by virtual machine protection software. Using multi-granularity dynamic instrumentation to trace binary can effectively record instruction execution and value changes in memory and register. Symbol execution is used to simplify assembly instructions and filter invalid instructions. The experimental results show that the method presented in this paper can effectively assist reverse engineers in the analysis of packed program by virtual machine protection.

Yong-gang LI,Chao-yuan CUI,Ping LI

DOI: https://doi.org/10.16208/j.issn1000-7024.2016.06.051

2016-01-01

Abstract:Aiming at the problem of the present situation that it is difficult to get the process content of guest OS out of virtual machine and there exists semantic gap between virtual vachines,a technology for obtaining the process content in virtual machine operating system was put forward.On the Xen virtualization platform,the technology started with virtual CPU context informa-tion,and got the process content in memory page by page.The specific data structure was analyzed to acquire the underlying in-formation in memory.The technology can get a list of processes as well as the process code,map files and all other process’s un-derlying information of the guest OS out of virtual machine.The process content gained can provide a foundation for the study of process at granularity.

Hongwei Duan,Liang Shi,Qingfeng Zhuge,Edwin Hsing-Mean Sha,Changlong Li,Yujiong Hang

DOI: https://doi.org/10.1109/NVMSA53655.2021.9628430

2021-01-01

Abstract:Emerging byte-addressable. non-volatile memory provides opportunities for preserving files in memory. However, there is no systematic performance study across different file systems. This paper evaluates the performance of modern NVM-based file systems (e.g., PMFS, SIMFS, and NOVA) with a series of preliminary studies. Several interesting findings are concluded with our study, which should be well considered by file system designers during the employment. Furthermore, this paper explores the visualization of NVM-based file systems and develops NVMPlayer. To the best of our knowledge, this is the first graphical tool to display the internal mechanisms of NVM-based file systems. It demonstrates how visualization can help us shed light on the complex phenomena in NVM-based file system and expose new opportunities for optimization.

Xianming Zhong,Chengcheng Xiang,Miao Yu,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1007/s10766-013-0285-2

2015-01-01

International Journal of Parallel Programming

Abstract:Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system's running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for mini-intrusive live forensics, which employs hardware assisted virtualization technique to gather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21 % performance overhead to the target system, which proves that VAIL is practical in real commercial environments.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Xian Chen,Wenzhi Chen,Zhongyong Lu,Yu Zhang,Rui Chang,Mohammad Mehedi Hassan,Abdulhameed Alelaiwi,Yang Xiang

DOI: https://doi.org/10.1002/cpe.4028

2017-01-01

Abstract:SummaryWith the advantages of extremely high access speed, low energy consumption, nonvolatility, and byte addressability, nonvolatile memory (NVM) device has already been setting off a revolution in storage field. Conventional storage architecture needs to be optimized or even redesigned from scratch to fully explore the performance potential of NVM device. However, most previous NVM‐related works only explore its low access latency and low energy consumption. Few works have been done to explore the appropriate way to use NVM device for improving virtual machine's storage performance. In this paper, we comprehensively evaluate and analyze conventional virtual machine's storage architecture. We find that, even with cutting‐edge optimization technologies, virtual machine can only achieve 30% of NVM device's original performance. Based on this observation, we propose a memory bus–based storage architecture, which we named MBSA. Memory bus–based storage architecture can greatly shorten the length of virtual machine's storage input/output stack and improve NVM device's use flexibility. In addition, an efficient wear‐leveling algorithm is proposed to prolong NVM device's lifespan. To evaluate the new architecture, we implement it as well as the wear‐leveling algorithm on real hardware and software platform. Experimental results show that MBSA can provide a big performance improvement, about 2.55X, and the wear‐leveling algorithm can efficiently balance write operations on NVM device with a negligible performance overhead (no more than 3%).

Miao Yu,Zhengwei Qi,Qian Lin,Xianming Zhong,Bingyu Li,Haibing Guan

DOI: https://doi.org/10.1016/j.diin.2012.04.002

2012-01-01

Digital Investigation

Abstract:Current live acquisition systems can obtain memory content of a running system, but they either fail to provide accurate native system physical memory acquisition at the given time point or require suspending the machine and altering the execution environment drastically. To address this issue, we propose Vis, a lightweight virtualization approach to provide accurate retrieval of physical memory content without disturbing the execution of the target native system. Our experimental results indicate that Vis is capable of reliably retrieving an accurate system image. Moreover, Vis accomplishes live acquisition in around 100 s, where previous remote live acquisition tools take hours and static acquisition takes days. On average, the performance reduction for the target system is 9.62%. (C) 2012 Elsevier Ltd. All rights reserved.

Youhui Zhang,Yu Gu,Hongyi Wang,Dongsheng Wang

DOI: https://doi.org/10.1109/sbac-pad.2006.32

2006-01-01

Abstract:In this paper we present a storage-based intrusion detection system (IDS) that makes use of advantages of virtual machine (VM) and smart disk technologies. The virtual machine monitor (VMM) can prevent the IDS itself from potential attacks while the smart disk technology provides IDS with a whole view of the file system of the monitored VM. We show how to use a tool and some file system knowledge to enable the virtual disk to maintain a sector-to-file mapping table (called file-aware block level storage) as well as how to detect the changes to file content on-line. Based on these features, normal file-level intrusion detection (ID) rules can be converted to sector-level ones in order to integrate ID functions to the virtual storage. We implement such a prototype based on QEMU VMM and the OS of VM is Windows XP. Moreover the time overhead introduced by this solution is tested

Qian Zhao,Tianjie Cao

DOI: https://doi.org/10.4304/jcp.4.1.3-10

2009-01-01

Journal of Computers

Abstract:When investigators are faced with a target system, they want to find sensitive information such as userID and password. Unfortunately, sensitive information can not be found on the hard drive in most cases. Consequently, sensitive information needs to be gathered from physical memory. In our research, we have found lots of sensitive information from physical memory by different techniques. Besides userID and password, we also have found QQ-chat logs that never have been referred in other papers.

HaoGang Chen,XiaoLin Wang,ZhenLin Wang,BinBin Zhang,YingWei Luo,XiaoMing Li

DOI: https://doi.org/10.1007/s11432-010-3113-y

2010-01-01

Science China Information Sciences

Abstract:Memory virtualization is an important part in the design of virtual machine monitors (VMM). In this paper, we proposed dynamic memory mapping (DMM)model, a mechanism that allows the VMM to change the mapping between a virtual machine’s physical memory and the underlying hardware resource while the virtual machine is running. By utilizing DMM, the VMM can implement many novel memory management policies, such as Demand Paging, Swapping, Ballooning, Memory Sharing and Copy-On-Write, while preserving compatibility with various architectures. The modular and hierarchical property of the DMM model efficiently incorporates the high-level policies and the low-level implementations, leading to a feature-adjustable VMM design. We presented the principle of the DMM model, and explained the procedures of various memory management policies under this model. Also, we implement the DMM model in KVM, an open source VMM. Our evaluation shows that the DMM model is efficient enough to provide the benefits of dynamic memory resource management with little performance impact.